New aes-hmac implemention.

Author: mxk

go1/sqlite3/codec/aes-hmac.go

@@ -15,101 +15,100 @@ import (
 	. "code.google.com/p/go-sqlite/go1/sqlite3"
 )
 
-// TODO(max): Remove the master key.
-// TODO(max): MAC the cipher spec.
-// TODO(max): HMAC key should be the same size as the output.
-
 type aesHmac struct {
-	key  []byte // Key provided to newAesHmac
-	p1k  []byte // Page 1 key (subslice of key)
-	p1i  []byte // Page 1 HKDF info ("go-sqlite")
-	buf  []byte // Page encryption buffer
-	kLen int    // Cipher and HMAC key length in bytes (16, 24, or 32)
-	tLen int    // Tag length in bytes (HMAC truncation)
-
-	// Hash function and cipher chaining mode constructors
+	key  []byte  // Key provided to newAesHmac with the master key removed
+	buf  []byte  // Page encryption buffer
+	hdr  [4]byte // Header included in each HMAC calculation (page number)
+	tLen int     // Tag length in bytes (HMAC truncation)
+
+	// Hash function and chaining mode constructors
 	hash func() hash.Hash
 	mode func(block cipher.Block, iv []byte) cipher.Stream
 
-	// Block cipher and HMAC hash initialized from the master key
+	// Block cipher and HMAC initialized from the master key
 	block cipher.Block
 	hmac  hash.Hash
 }
 
 func newAesHmac(ctx *CodecCtx, key []byte) (Codec, *Error) {
-	_, opts, mk := parseKey(key)
-	if mk == nil {
+	name, opts, mk := parseKey(key)
+	if len(mk) == 0 {
 		return nil, keyErr
 	}
+	defer wipe(mk)
+
+	// Configure the codec
 	c := &aesHmac{
-		key:  key,
-		p1k:  mk,
-		p1i:  []byte("go-sqlite\x00")[:9],
-		kLen: 16,
+		key:  key[:len(key)-len(mk)],
 		tLen: 16,
 		hash: sha1.New,
 		mode: cipher.NewCTR,
 	}
-	if err := c.config(opts); err != nil {
+	suite := suiteId{
+		Cipher:  "aes",
+		KeySize: "128",
+		Mode:    "ctr",
+		MAC:     "hmac",
+		Hash:    "sha1",
+		Trunc:   "128",
+	}
+	kLen := 16
+	if err := c.config(opts, &suite, &kLen); err != nil {
 		return nil, err
 	}
+
+	// Derive encryption and authentication keys
+	hLen := c.hash().Size()
+	salt := make([]byte, hLen)
+	copy(salt, name)
+	dk := hkdf(mk, salt, kLen+hLen, c.hash)(suite.Id())
+	defer wipe(dk)
+
+	// Initialize the block cipher and HMAC
+	var err error
+	if c.block, err = aes.NewCipher(dk[:kLen]); err != nil {
+		return nil, NewError(MISUSE, err.Error())
+	}
+	c.hmac = hmac.New(c.hash, dk[kLen:])
 	return c, nil
 }
 
 func (c *aesHmac) Reserve() int {
-	return c.kLen + aes.BlockSize + c.tLen
+	return aes.BlockSize + c.tLen
 }
 
 func (c *aesHmac) Resize(pageSize, reserve int) {
 	if reserve != c.Reserve() {
 		panic("sqlite3: codec reserve value mismatch")
 	}
-	tMax := c.hash().Size()
-	c.buf = make([]byte, pageSize, pageSize-c.tLen+tMax)
+	hLen := c.hash().Size()
+	c.buf = make([]byte, pageSize, pageSize-c.tLen+hLen)
 }
 
 func (c *aesHmac) Encode(p []byte, n uint32, op int) ([]byte, *Error) {
-	// Generate new random IV (HKDF salt for page 1)
 	iv := c.pIV(c.buf)
 	if !rnd(iv) {
 		return nil, prngErr
 	}
-
-	// Create the master key if encrypting page 1 for a new database
-	if c.block == nil && !c.init(p, n, true) {
-		return nil, codecErr
-	}
-
-	// Encrypt-then-MAC
-	cipher, hmac := c.cipher(n, iv)
-	cipher.XORKeyStream(c.buf, c.pText(p))
+	c.mode(c.block, iv).XORKeyStream(c.buf, c.pText(p))
 	if n == 1 {
-		copy(c.buf[16:], p[16:24]) // Bytes 16 through 23 cannot be encrypted
+		copy(c.buf[16:], p[16:24])
 	}
-	c.mac(c.buf, n, hmac, false)
+	c.auth(c.buf, n, false)
 	return c.buf, nil
 }
 
 func (c *aesHmac) Decode(p []byte, n uint32, op int) *Error {
-	// Verify tag
-	cipher, hmac := c.cipher(n, c.pIV(p))
-	if !c.mac(p, n, hmac, true) {
+	if !c.auth(p, n, true) {
 		return codecErr
 	}
-
-	// Decrypt
 	if n == 1 {
 		copy(c.buf, p[16:24])
 	}
-	cipher.XORKeyStream(p, c.pText(p))
+	c.mode(c.block, c.pIV(p)).XORKeyStream(p, c.pText(p))
 	if n == 1 {
 		copy(p[16:24], c.buf)
 	}
-
-	// Get the master key if decrypting page 1 for the first time
-	if c.block == nil && !c.init(p, n, false) {
-		return codecErr
-	}
 	return nil
 }
 
@@ -118,21 +117,26 @@ func (c *aesHmac) Key() []byte {
 }
 
 func (c *aesHmac) Free() {
-	wipe(c.key)
-	*c = aesHmac{}
+	c.buf = nil
+	c.block = nil
+	c.hmac = nil
 }
 
 // config applies the codec options that were provided in the key.
-func (c *aesHmac) config(opts map[string]string) *Error {
+func (c *aesHmac) config(opts map[string]string, s *suiteId, kLen *int) *Error {
 	for k := range opts {
 		switch k {
 		case "192":
-			c.kLen = 24
+			s.KeySize = k
+			*kLen = 24
 		case "256":
-			c.kLen = 32
+			s.KeySize = k
+			*kLen = 32
 		case "ofb":
+			s.Mode = k
 			c.mode = cipher.NewOFB
 		case "sha256":
+			s.Hash = k
 			c.hash = sha256.New
 		default:
 			return NewError(MISUSE, "invalid codec option: "+k)
@@ -141,66 +145,21 @@ func (c *aesHmac) config(opts map[string]string) *Error {
 	return nil
 }
 
-// cipher returns the stream cipher and HMAC hash for page n. Both are reset to
-// their initial state.
-func (c *aesHmac) cipher(n uint32, iv []byte) (cipher.Stream, hash.Hash) {
-	if n > 1 {
-		c.hmac.Reset()
-		return c.mode(c.block, iv), c.hmac
-	}
-
-	// Derive page 1 cipher key, HMAC key, and IV
-	dkLen := 2 * c.kLen
-	dk := hkdf(c.p1k, iv, dkLen+aes.BlockSize, c.hash)(c.p1i)
-	dk, iv = dk[:dkLen], dk[dkLen:]
-	defer wipe(dk)
+// auth calculates and verifies the HMAC tag for page p. It returns true iff the
+// tag is successfully verified.
+func (c *aesHmac) auth(p []byte, n uint32, verify bool) bool {
+	c.hdr[0] = byte(n >> 24)
+	c.hdr[1] = byte(n >> 16)
+	c.hdr[2] = byte(n >> 8)
+	c.hdr[3] = byte(n)
 
-	// Initialize the stream cipher and HMAC for page 1
-	if block, hmac := c.rekey(dk[:c.kLen], dk[c.kLen:]); block != nil {
-		return c.mode(block, iv), hmac
-	}
-	return nil, nil
-}
-
-// mac calculates and optionally verifies the HMAC tag for page p. It returns
-// true iff the tag verification is successful.
-func (c *aesHmac) mac(p []byte, n uint32, h hash.Hash, verify bool) bool {
-	h.Write([]byte{byte(n >> 24), byte(n >> 16), byte(n >> 8), byte(n)})
-	h.Write(c.pAuth(p))
 	tag := c.pTag(c.buf)
-	h.Sum(tag[:0])
-	return verify && hmac.Equal(tag, c.pTag(p))
-}
-
-// init initializes the block cipher and HMAC hash using the page 1 master key.
-// It returns true on success and false otherwise.
-func (c *aesHmac) init(p []byte, n uint32, newKey bool) bool {
-	if n != 1 {
-		return false // First call to Encrypt or Decrypt must be for page 1
-	}
-
-	// Load or generate the master key
-	mk := c.pKey(p)
-	if newKey && !rnd(mk) {
-		return false
-	}
+	c.hmac.Reset()
+	c.hmac.Write(c.hdr[:])
+	c.hmac.Write(c.pAuth(p))
+	c.hmac.Sum(tag[:0])
 
-	// Derive cipher and HMAC keys from the master key
-	hdr := append(make([]byte, 0, 17), p[:16]...)
-	dk := hkdf(mk, nil, 2*c.kLen, c.hash)(hdr)
-	defer wipe(dk)
-
-	// Initialize the block cipher and HMAC
-	c.block, c.hmac = c.rekey(dk[:c.kLen], dk[c.kLen:])
-	return c.block != nil
-}
-
-// rekey creates a new block cipher and HMAC hash using the specified keys.
-func (c *aesHmac) rekey(ck, hk []byte) (cipher.Block, hash.Hash) {
-	if block, err := aes.NewCipher(ck); err == nil {
-		return block, hmac.New(c.hash, hk)
-	}
-	return nil, nil
+	return verify && hmac.Equal(tag, c.pTag(p))
 }
 
 // pAuth returns the page subslice that gets authenticated.
@@ -213,16 +172,9 @@ func (c *aesHmac) pText(p []byte) []byte {
 	return p[:len(p)-c.tLen-aes.BlockSize]
 }
 
-// pKey returns the master key from page 1.
-func (c *aesHmac) pKey(p []byte) []byte {
-	off := len(p) - c.tLen - aes.BlockSize - c.kLen
-	return p[off : off+c.kLen]
-}
-
-// pIV returns the page initialization vector (HKDF salt for page 1).
+// pIV returns the page initialization vector.
 func (c *aesHmac) pIV(p []byte) []byte {
-	off := len(p) - c.tLen - aes.BlockSize
-	return p[off : off+aes.BlockSize]
+	return p[len(p)-c.tLen-aes.BlockSize : len(p)-c.tLen]
 }
 
 // pTag returns the page authentication tag.

go1/sqlite3/codec/codec.go

@@ -91,3 +91,40 @@ func wipe(b []byte) {
 		b[i] = 0
 	}
 }
+
+// suiteId constructs a canonical cipher suite identifier.
+type suiteId struct {
+	Cipher  string
+	KeySize string
+	Mode    string
+	MAC     string
+	Hash    string
+	Trunc   string
+}
+
+func (s *suiteId) Id() []byte {
+	id := make([]byte, 0, 64)
+	section := func(parts ...string) {
+		for i, p := range parts {
+			if p != "" {
+				parts = parts[i:]
+				goto write
+			}
+		}
+		return
+	write:
+		if len(id) > 0 {
+			id = append(id, ',')
+		}
+		id = append(id, parts[0]...)
+		for _, p := range parts[1:] {
+			if p != "" {
+				id = append(id, '-')
+				id = append(id, p...)
+			}
+		}
+	}
+	section(s.Cipher, s.KeySize, s.Mode)
+	section(s.MAC, s.Hash, s.Trunc)
+	return id
+}

go1/sqlite3/codec/codec_test.go

@@ -83,3 +83,46 @@ func TestHKDF(t *testing.T) {
 		}
 	}
 }
+
+func TestSuiteId(t *testing.T) {
+	tests := []struct {
+		suite suiteId
+		out   string
+	}{
+		{suiteId{},
+			""},
+		{suiteId{Cipher: "aes"},
+			"aes"},
+		{suiteId{KeySize: "128"},
+			"128"},
+		{suiteId{Cipher: "aes", KeySize: "128"},
+			"aes-128"},
+		{suiteId{Cipher: "aes", Mode: "ctr"},
+			"aes-ctr"},
+		{suiteId{Cipher: "aes", KeySize: "128", Mode: "ctr"},
+			"aes-128-ctr"},
+		{suiteId{MAC: "hmac"},
+			"hmac"},
+		{suiteId{MAC: "hmac", Hash: "sha1"},
+			"hmac-sha1"},
+		{suiteId{MAC: "hmac", Hash: "sha1", Trunc: "128"},
+			"hmac-sha1-128"},
+		{suiteId{Cipher: "aes", MAC: "hmac"},
+			"aes,hmac"},
+		{suiteId{Cipher: "aes", Hash: "sha1"},
+			"aes,sha1"},
+		{suiteId{Mode: "ctr", Hash: "sha1"},
+			"ctr,sha1"},
+		{suiteId{Cipher: "aes", KeySize: "128", MAC: "hmac", Hash: "sha256"},
+			"aes-128,hmac-sha256"},
+		{suiteId{Cipher: "aes", Mode: "ctr", Hash: "sha256", Trunc: "128"},
+			"aes-ctr,sha256-128"},
+		{suiteId{Cipher: "aes", KeySize: "256", Mode: "ctr", MAC: "hmac", Hash: "sha256", Trunc: "128"},
+			"aes-256-ctr,hmac-sha256-128"},
+	}
+	for _, test := range tests {
+		if out := string(test.suite.Id()); out != test.out {
+			t.Errorf("%#v expected %q; got %q", test.suite, test.out, out)
+		}
+	}
+}